sotolf

I'm still kind of baffled that the rust people saw what js was doing with npm and saying "that's a great idea", let's do that!

Or maybe it's just a lot of previous js devs doing this.

#rust

https://kerkour.com/rust-supply-chain-security-standard-library

Rust has a HUGE supply chain security problem

"If only Rust had this feature, we would use it for all our greenfield projects!" Said nobody. Rust adoption is stagnating not because it's missing some weird feature pushed by programming language theory fanatics, but because of a lack of focus on solving the practical problems that developers are facing

Sylvain Kerkour
Jul 2, 2024 at 10:45amWeb
Show threadDiegovskyJul 2, 2024

@sotolf
"You want to know why no company outside of AWS is making SDKs for Rust? Because it has no official HTTP library. Nobody at $COMPANY will bet their career on a 0.10 third-party package that may be abandoned in the near future or be backdoored overnight.

"But Rust is not designed to build HTTP services. It's for embedded programming!!"

Blahblahblah... For the better or the worse, today even your toothbrushes and USB cables are WiFi-connected"

What even is this article?

Show threadsotolfJul 2, 2024
@diegovsky I did not write it, complain to the person writing it if you have issues with it...
Show threadDiegovskyJul 2, 2024

@sotolf well, you appeared on my feed so I think it's pretty appropriate to react to your post (?)

Do you understand how social media works?

Show threadsotolfJul 2, 2024
@diegovsky it's not my post it's a link to something someone else posted, you don't need to talk to me about errors you think the writer did, why should I care about your opinion, especially when you coe with your anti furry bigotry as well.
Show threadTobias HungerJul 2, 2024

@sotolf The good thing is that it is obvious that a project has dependencies and what exactly it depends on.

I have spent too much time finding random copies from random versions of random libraries (with random patches on top) copied into projects. And do not get me started on "header only libraries" -- the declaration of failure on dependency management.

Show threadsotolfJul 2, 2024
@hunger Yeah, I love my tui program to have 100+ dependencies (ratatui) The thing isn't that there is some automatic dependency thing, the problem is that there is no real stdlib or approximate, so what you have is that every other library is depending on something else random that you haven't already downloaded, I have found even smaller stuff that I've worked on in rust having a many GB big folder for not really doing much.
Show threadTobias HungerJul 5, 2024

@sotolf How would you build such an extended standard library?

* Make a crate with lots of other crates as dependencies. Simple to do, but keeps the entire mess visible.

* Bundle a bunch of crates in one repo. Hides the mess, but needs constant updates to keep in sync with the "real" crates and will not feel likemone unit.

* Fork all the dependencies into your repo and smoothen out the API. Lots of work as you fork everything.

I hope there is more, as neither of my ideas seem great.

Show threadsotolfJul 5, 2024
@hunger the other thing about a stdlib thing is that it has to be officially blessed so that people know to use it, it would need to have a good api that can influence others, there are a lot of things that is needed, and the best way is to deliver it with the language, which is one of the reasons rust is just not for me.
Show threadTobias HungerJul 5, 2024

@sotolf so you want 3): Fork all the good libs, polish and integrate them with each other into one nice package that's blessed by "the language". That probably means a new crate in the rustlang org on github.

You end up setting a huge API into stone, and make it hard to continue developing the functionality: Languages with a big stdlib joke its where code goes to die.

At some point users start using alternatives in their programs and dependency hell is back.

Show threadsotolfJul 5, 2024
@hunger yeah yeah, rust is perfect, no way to make it better, other languages suck, I get where this will end up, you get points for "luring me into a trap" but no thanks, not interested in joining another dishonest "discussion".
Show threadTobias HungerJul 6, 2024

@sotolf That particular approach seems not to have worked well in python, that's all.

The supply chain problem is very real and trying to automatically analyze all the crates that get uploaded for bad behavior is not going to solve that. `cargo crev` does not seem to scale.

Some form of "blessed crate list" (with extra eyes on those) is needed, we "just" need to figure out a good way to do that without killing what makes the crates popular in the first place.

Show threadTudbuTJul 2, 2024
@sotolf 100% agree with you! this is why all of my crates use minimal dependencies, often zero, sometimes not even std.
Show threadsotolfJul 2, 2024
@TudbuT Good to see that there are some fighting it still :) Rust is a decent language for many tasks, I'm just not a big fan personally. And I do have some qualms with how so many rust projects does seem to have 100s of dependencies, for me personally it has made me unable to compile a lot of them, since my pc is not new, and not very good :p